This invention relates to the field of computer systems. More particularly, a system and method are provided for using opaque groups within a federated identity community or environment.
Identity management—the process of identifying or verifying a user's identity—has evolved from centralized solutions to federated solutions. In a centralized identity management system, each network, domain, namespace or other userspace is separately and independently managed. Each space authenticates users that connect to the space, for activity solely within that domain, and a user that accesses multiple spaces must separately verify its identity within each space (e.g., via separate login procedures).
In a federated identity management solution, two or more separately managed identity systems trust each other to properly assign and verify user identities. By cooperating in the authentication and authorization of users, they promote the portability of user identities between the separate systems' spaces and facilitate users' access to resources residing outside their own spaces.
For example, two or more organizations may agree to trust each other's identity management systems and practices. Then, when a customer or employee logs in to his or her home userspace, the user's authenticated identity and identity attributes will be accepted in the other organizations' spaces. The user may therefore access resources in all cooperating organizations' networks while only logging in and verifying his or her identity once.
However, existing federated identity management systems, or federations, require users' true identities to be shared when they use services within the federated system. As one consequence, membership in groups cannot be obscured and any member can see other members' true identities. For example when a message is distributed to all members or the members gather for an online meeting, their true identities are visible throughout the group. For some groups this may not be a problem, but when the group comprises business competitors (or other users and/or organizations that are or may be in conflict) cooperating in a technical standards committee, trade forum, industry working group or other such gathering, it may be more conducive to the group and its purpose if membership could be anonymous.